AugSSO: Secure threshold single-sign-on authentication with popular password collection

Author

Changsong JIANG
Chunxiang XU
Guomin YANG, Singapore Management UniversityFollow

Publication Type

Journal Article

Version

acceptedVersion

Publication Date

1-2025

Abstract

Single-sign-on authentication is widely deployed in mobile systems, which allows an identity server to authenticate a mobile user and issue her/him with a token, such that the user can access diverse mobile services. To address the single-point-offailure problem, threshold single-sign-on authentication (PbTA) is a feasible solution, where multiple identity servers perform user authentication and token issuance in a threshold way. However, existing PbTA schemes confront critical drawbacks. Specifically, these schemes are vulnerable to perpetual secret leakage attacks (PSLA): an adversary perpetually compromises secrets of identity servers (e.g., secret key shares or credentials) to break security. Besides, they fail to achieve popular password collection, which is an effective means of enhancing system security. In this paper, we propose a secure PbTA scheme with popular password collection, dubbed AugSSO. In AugSSO, we conceive an efficient key renewal mechanism that allows identity servers to periodically update secret key shares in batches, and require storage of hardened password-derived public keys in credentials for user authentication, thereby resisting PSLA. We also present a popular password collection mechanism, where an aggregation server is introduced to identify popular passwords without disclosing unpopular ones. We provide security analysis and performance evaluation to demonstrate security and efficiency of AugSSO.

Keywords

Mobile users, perpetual leakage, popular password collection, threshold single-sign-on authentication

Discipline

Information Security

Research Areas

Cybersecurity

Publication

IEEE Transactions on Mobile Computing

First Page

1

Last Page

16

ISSN

1536-1233

Identifier

10.1109/TMC.2024.3525453

Publisher

Institute of Electrical and Electronics Engineers

Citation

JIANG, Changsong; XU, Chunxiang; and YANG, Guomin. AugSSO: Secure threshold single-sign-on authentication with popular password collection. (2025). IEEE Transactions on Mobile Computing. 1-16.
Available at: https://ink.library.smu.edu.sg/sis_research/10104

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1109/TMC.2024.3525453